Certifications and Codes of Conduct
Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority. Certifications represent a new opportunity for controllers and processors to demonstrate that their processing operations comply with the GDPR.
F0llowing a public consultation process, the Luxembourg National Commission for Data Protection (CNPD) has developed a certification scheme for the processing of personal data “GDPR Certified Insurance Report Based Processing Activities (GDPR-CARPA).” This certification scheme is intended for data controllers and processors. The certification scheme consists of two ‘pillars’:
- certification criteria for organizations seeking the certification seal. This pillar was a priority in the sense that an organization applying for the certification of these treatments must if necessary, prior to the certification procedure, put in place specific measures to be able to comply with the criteria. Organizations interested in being certified are encouraged to consider these criteria and to assess the extent to which they want to take a proactive approach to their preparations. Interested organizations can contact the CNPD in case of any questions.
- accreditation criteria for organizations seeking to become a certification body. While the GDPR-CARPA certification scheme, subject to public consultation, already included a description of these criteria, the CNPD decided to continue to develop them, in particular, to align them with the work of developing guidance on accreditation currently being carried out by the European Data Protection Board (EDPB). Since the CNPD objective is to ensure a European coherence of its work, the CNPD will communicate these criteria to the EDPB after finalizing this guidance – probably towards the end of this year or beginning of 2019. The CNPD intends to continue to carry out the work in consultation with industry professionals with expertise in the field of data protection and in the field of certification. For any questions, additional information or participation, you are invited to contact the relevant services of the CNPD.
Luxembourg Certification Resources
Codes of Conduct
The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are strong accountability and compliance indicator towards the regulator, public, and business partners.
So far, the CNPD has not provided any official further guidance on the process of submitting or drafting Codes of Conduct under the GDPR.
Certifications and Codes of Conduct
Certification schemes and Codes of conduct are established under the GDPR as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.